Skip to main content

Restic: High-Availability Backup Strategy for Immich and Syncthing

High-Availability Backup Strategy for Immich and Syncthing

(Simplified & Practical Edition – Generic Template)

Overview

This is a clean, generic template of a proven, simple backup strategy using a dedicated Vault LXC and Restic with REST server.
Separate repositories for different services, easy user looping, and direct pruning — minimal complexity, maximum reliability.

Infrastructure (Example Layout)

Host / Service Example IP Role Example CTID
Proxmox VE Host 192.168.50.10 Hypervisor, ZFS storage -
Immich LXC 192.168.50.142 Production Immich application 142
Syncthing LXC 192.168.50.135 Multi-user Syncthing instance 135
Vault/Restic LXC 192.168.50.220 Backup controller 220
NAS 192.168.50.80 Restic REST server (listening on 10.20.20.80) -

Read-Only Mount Points in Vault LXC

Example ZFS Dataset on Host Mount Point in Vault LXC Purpose
/tank/subvol-142-disk-1 /source/immich Immich library/uploads
/tank/subvol-135-disk-2 /source/syncthing-alice Syncthing user Alice
/tank/subvol-135-disk-3 /source/syncthing-bob Syncthing user Bob
/tank/subvol-135-disk-4 /source/syncthing-charlie Syncthing user Charlie

Configured on Proxmox host with read-only mounts (ro=1).

Restic REST Server on NAS (10.20.20.80:8000)

Two separate repositories:

  • /photos → authenticated with user photos-backup
  • /sync-main → authenticated with user sync-backup

--append-only is not used, allowing the backup client to handle pruning directly.

Generic Backup Script Template

Place this in the Vault LXC as /root/backup-mountpoints.sh:

#!/bin/bash
# Simple backup script template for Immich + multi-user Syncthing

# --- CONFIGURATION: IMMICH ---
IMMICH_REPO="rest:http://photos-backup:StrongPhotoPass2025@10.20.20.80:8000/photos"
IMMICH_PASS="StrongPhotoPass2025"

# --- CONFIGURATION: SYNCTHING ---
SYNC_REPO="rest:http://sync-backup:StrongSyncPass2025@10.20.20.80:8000/sync-main"
SYNC_PASS="StrongSyncPass2025"

echo "--- Backup Started: $(date) ---"

# ==========================================
# 1. IMMICH BACKUP
# ==========================================
echo "Backing up Immich..."
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO backup /source/immich \
    --host immich-server --tag "auto" --verbose

# Prune Immich repo
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO forget \
    --keep-last 3 --keep-daily 7 --keep-weekly 4 --prune

# ==========================================
# 2. SYNCTHING BACKUP
# ==========================================
echo "Backing up Syncthing Users..."
USERS=("alice" "bob" "charlie")

for USER in "${USERS[@]}"; do
    echo "Processing $USER..."
    RESTIC_PASSWORD=$SYNC_PASS restic -r $SYNC_REPO backup "/source/syncthing-$USER" \
        --host syncthing-server --tag "user:$USER" --verbose
done

# Prune Syncthing repo (once for all users)
RESTIC_PASSWORD=$SYNC_PASS restic -r $SYNC_REPO forget \
    --keep-last 3 --keep-daily 7 --keep-weekly 4 --prune

echo "--- Backup Finished: $(date) ---"

Security hardening:

chmod 700 /root/backup-mountpoints.sh
chown root:root /root/backup-mountpoints.sh

Automation & Scheduling

Crontab in Vault LXC (crontab -e):

0 3 * * * /root/backup-all.sh

Log rotation (/etc/logrotate.d/restic):

/var/log/restic-backup.log {
    daily
    rotate 14
    compress
    missingok
    notifempty
}

Security Model

  • Isolation: Production containers (Immich & Syncthing) have no network access to the NAS backup storage.
  • Read-Only Access: Vault LXC cannot modify or delete live data.
  • Immutability: --append-only on REST server prevents deletion of snapshots even if Vault is compromised.
  • Encryption & Integrity: Restic encrypts all data and performs cryptographic checks.

Recovery Examples

# List Immich snapshots
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r rest:http://photos-backup:...@10.20.20.80:8000/photos snapshots

# Restore latest Immich
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r ... restore latest --target /tmp/restore-immich

# List only Bob's snapshots
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... snapshots --tag user:bob

# Restore Bob's data
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... restore latest --tag user:bob --target /tmp/restore-bob

This template preserves the simplicity and effectiveness of your working setup while keeping all identifiers generic and secure. Copy, adapt, and deploy confidently!

No comments to display

Back to top